Sign app bundle

Is this an app you created? Or an app from someone else? And in that case, is it from Apple? Or another third-party developer? And is it distributed independently? Or on the Mac App Store?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is this an app you created?

No. I just have compiled bundle.

And is it distributed independently?

Yes.

Or another third-party developer?

Yes.

I use codesign --force --deep --sign - so, I guess, --deep is redundant, also I googled that dash in that command used for adhoc signature, so my mac can not use it for run.

Also I solved problem with internal error in code signing subsystem when use codesign. Another error was appeared Operation not permitted. So you should add terminal to Full Disc Access list.

Is this an app you created?

I just have compiled bundle.

I’m not sure how to interpret that. The error from your first post indicates that you have an app, namely Foo.app. Did you create that app? Or did someone else?

I use codesign … --deep …

--deep is not a good idea when signing, as I explain in --deep Considered Harmful.

that dash in that command used for adhoc signature

Correct.

so my mac can not use it for run.

Not quite. By default Macs will run ad hoc signed code. This is equivalent to Sign to Run Locally in Xcode.

Whether you want to do that is another matter. There a bunch of drawbacks to ad hoc signed code.

Regarding your other points, I’ll be happy to comment on those once I know more about the context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I’m not sure how to interpret that. The error from your first post indicates that you have an app, namely Foo.app. Did you create that app? Or did someone else?

I installed app from internet and try to deal with it. No source code, only bundle. Foo.app is just alias for target app.

Not quite. By default Macs will run ad hoc signed code. This is equivalent to Sign to Run Locally in Xcode.

In logs information about that:

/Applications/Foo.app/Contents/MacOS/Foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-423 "The file is adhoc signed or signed by an unknown certificate chain" UserInfo={NSURL=file:///Applications/Foo.app/Contents/MacOS/Foo, NSLocalizedDescription=The file is adhoc signed or signed by an unknown certificate chain}

I have M1 Macbook Air. I googled that security settings were changed for Apple Silicon. I installed all dev certs, but no changes. After I signed with my dev cert via codesign -f -o runtime --timestamp -s "Apple Development: ***@gmail.com (XXXXXXXXXX)" /Applications/Foo.app I had error for mapping process and mapped file (non-platform) have different Team IDs

Next try with entitlements codesign -f -o runtime --entitlements /Users/zubastic/Desktop/entitlements.plist --timestamp -s "Apple Development: ***@gmail.com (XXXXXXXXXX)" /Applications/Foo.app:

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes:       0x0000000000000001, 0x00000000741f2a42

Termination Reason:    Namespace SIGNAL, Code 4 Illegal instruction: 4
Terminating Process:   exc handler [2976]

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   Foo                               0x105abf704 0x104fb4000 + 11581188
1   dyld                                  0x1958201d8 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168
2   dyld                                  0x195861c60 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 172
3   dyld                                  0x1958551a4 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 528
4   dyld                                  0x1958002d8 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 296
5   dyld                                  0x1958541cc dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
6   dyld                                  0x195856cfc dyld3::MachOFile::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, bool&) block_pointer) const + 160
7   dyld                                  0x195861904 dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 432
8   dyld                                  0x19581c85c dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 448
9   dyld                                  0x19581cc10 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 220
10  dyld                                  0x195820264 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const::$_1::operator()() const + 112
11  dyld                                  0x19581cd90 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 304
12  dyld                                  0x195840984 dyld4::APIs::runAllInitializersForMain() + 468
13  dyld                                  0x1958052d0 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3480
14  dyld                                  0x195803e18 start + 1964

Log output:

zubastic@MacBook-Air ~ % codesign -f -o runtime --entitlements /Users/zubastic/Desktop/entitlements.plist --timestamp -s "Apple Development: ***@gmail.com (XXXXXXXXXX)" /Applications/Foo.app
/Applications/Foo.app: replacing existing signature
zubastic@MacBook-Air ~ % codesign -dv -r- /Applications/Foo.app
Executable=/Applications/Foo.app/Contents/MacOS/Foo
Identifier=com.Test.Foo
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=301795 flags=0x10000(runtime) hashes=9420+7 location=embedded
Signature size=9192
Timestamp=19 Sep 2023, 15:36:31
Info.plist entries=35
TeamIdentifier=YYYYYYYYYY
Runtime Version=13.1.0
Sealed Resources version=2 rules=13 files=1306
designated => identifier "com.Test.Foo" and anchor apple generic and certificate leaf[subject.CN] = "Apple Development: ***@gmail.com (XXXXXXXXXX)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
zubastic@MacBook-Air ~ % codesign -vv /Applications/Foo.app
/Applications/Foo.app: valid on disk
/Applications/Foo.app: satisfies its Designated Requirement

entitlements.plist used:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>

I installed app from internet and try to deal with it.

So you’re re-signing another developer’s app. To what end? What do you hope to achieve by this that you can’t achieve by running the app directly?

This matters because some re-signing tasks are impossible due to the way that provisioning profiles work.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

So you’re re-signing another developer’s app. To what end? What do you hope to achieve by this that you can’t achieve by running the app directly?

This is first step for me. I want to change some data in app via hex editor.

This matters because some re-signing tasks are impossible due to the way that provisioning profiles work.

How I could get this info? I could cut off all sign data from previous signing?

I want to change some data in app via hex editor.

I’m sorry but I can’t help you with that. DTS doesn’t support developer’s re-signing other developers code.

If you want to continue down this path, you’ll have to learn a lot more about code signing, entitlements, the trusted execution system, and so on. To get started, check out the links in the Code Signing Resources and Trusted Execution Resources pinned posts.

Or you could choose a simpler starting point (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If you want to continue down this path, you’ll have to learn a lot more about code signing, entitlements, the trusted execution system, and so on. To get started, check out the links in the Code Signing Resources and Trusted Execution Resources pinned posts.

I will continue digging. Thanks for links. I already saw them. Unfortunately I have no enough experience to create working solution now.

Or you could choose a simpler starting point (-:

For me this is a challenge. So I will try to do my best with it.